July 22, 2014

Target CEO resigns five months after data breach revelation

Target_logoAt the end of December last year, during one of the busiest shopping seasons, the US retailer Target revealed that payment details from up to 40 million credit cards had been stolen after being used on  card-swipe machines at 1,797 of its stores.  The attack started just before Black Friday and continued for about two and a half weeks.

Five months on from the announcement of the data breach, Target’s board of directors has decided to remove Gregg Steinhafel as chairman and chief executive, saying it wanted new leadership to help restore consumer confidence. The official text from the board of directors thanks Steinhafel for his “significant contributions and outstanding service throughout his notable 35-year career with the company” but blames the CEO directly for the data breach, “Most recently, Gregg led the response to Target’s 2013 data breach. He held himself personally accountable…” And now it looks like that accountability has lost him his job.

After the attack occurred details started to emerge that showed that Target could have prevented the attack. According to Bloomberg, Target had invested $1.6 million installing a malware detection tool from FireEye.

Target used a team of security specialists in Bangalore to monitor its network. On Saturday, Nov. 30, the hackers uploaded malware to Target’s network so that they could copy the stolen credit card details. FireEye spotted the malware along with some suspicious activity and the Bangalore team alerted their bosses in Minneapolis. But it appears that the security team in Minneapolis did nothing.

Since the breach, Target has faced at least 90 lawsuits and been forced to spend at least $61 million to settle them. According to Brian Krebs, Target does not have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO). Krebs also estimates that the cyber criminals probably made somewhere around $53 million from the sale of stolen credit card details.

It is thought that details of up to 3 million cards were successfully sold on the black market and used before the issuing banks managed to cancel the whole batch of 40 million cards.

Malware used on point-of-sale terminals to steal details of 40 million credit cards

Target_logoA few days before Christmas the US retail giant Target revealed that payment details from up to 40 million credit cards could have been stolen after being used on  card-swipe machines at 1,797 Target stores.  The breach started just before Black Friday and continued for about two and a half weeks.

Target CEO Gregg Steinhafel revealed in a CNBC interview yesterday that the cyber-thieves stole the credit card numbers, CVV numbers and encrypted PIN codes of 40 million customers by installing malware into the  point-of-sale devices used in the Target stores. This same malware also allowed the thieves to take personally identifiable information, including postal addresses and phone numbers, on a total of 70 million shoppers.

At the time of the breach, Brian Krebs revealed that sources at credit card payment processing firms had told him about the data-stealing malware but this is the first time that the existence of the malware has been confirmed by Target itself.

“We don’t know the full extent of what transpired, but what we do know was there was malware installed on our point-of-sale registers,” Steinhafel said. “We eliminated the malware in the access point, we were very confident that coming into Monday guests could come to Target and shop with confidence and no risk.”

The security breach was discovered on December 15th, but Target didn’t go public until December 19th. As a result the company is coming under increasing pressure to justify the four day delay in notifying its customers. According to Steinhafel  the sequence of events from the 15th were as follows:

  • Day 1 – Breach discovered and malware removed from POS registers.
  • Day 2 – Initiating the investigation work and the forensic work.
  • Day 3 – Setting up the call center and preparing store employees for customer queries.
  • Day 4 – Public disclosure.

Target was not the only US retailer to suffer a security breach in the run up to Christmas. Reuters reports that at least three other well-known but unidentified retailers experienced smaller breaches that have yet to be made publicly. According to people familiar with the situations these three retailers were attacked using similar techniques as the ones used on Target. There is speculation that the perpetrators of the Target attack may also be responsible for these other security breaches.

Bugs planted in PIN pad machines to steal credit card numbers of Barnes & Noble customers

(LiveHacking.Com) – Barnes & Noble has uncovered a sophisticated scheme were criminals planted bugs in certain PIN pad devices used in book stores. These bugs were designed to capture credit card details and PIN numbers.  As soon as Barnes & Noble discovered the scheme it disconnected all PIN pads from all of its stores nationwide.

After an internal investigation, Barnes and Noble detected tampering with PIN pad devices used in 63 of its stores. The tampering was limited to one compromised PIN pad in each of the affected stores. Having  discontinued use of all PIN pads in its nearly 700 stores nationwide, which happened by close of business September 14, the popular book store notified federal law enforcement authorities.

“Barnes & Noble has completed an internal investigation that involved the inspection and validation of every PIN pad in every store.  The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases.  This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads,” said the company in a statement.

As a precaution, B&N are suggesting that customers who have swiped their cards at any of the Barnes & Noble stores with affected PIN pads should take the following steps: Debit Card Users should change the PIN numbers on their debit cards and review their accounts for unauthorized transactions. While Credit Card Users should just review their statements for any unauthorized transactions.

Worried customers can call 1-888-471-7809, between the hours of 8:00 AM and 8:00 PM Eastern Standard Time, with any related questions.

The planted bugs only worked with PIN pad devices, online purchases from Barnes & Noble.com, NOOK and NOOK mobile apps were not affected.

New Twitter account shows that people post credit card details online

(LiveHacking.Com) – There is a saying in some parts that “there is one born every minute” and it usually refers to those who, how can it be put politely, have been known to act unwisely! A new twitter account @NeedADebitCard has been setup to search Twitter for pictures of people’s credit and debit cards. You might think that it should return zero results but unfortunately quite the opposite is true.

It seems that the elation of either receiving a new credit/debit card in the post or the joy of finding a lost card is causing people to take photos of their cards and post them online. From the photos the card number, the card holder and the expiry date are all clearly visible.

For example one twitter user wrote “Just found my credit card” and then published a link to an Instagram photo of the card. Another simply wrote “My credit card !!yey” and then again included a link to a photo of the card. Still another wrote “MY CREDIT CARD !” and again included a full photo of the card. One enthusiastic user wrote “Had to twitpic my debit card so shamar knw i aint playing no games about this bet!” I could go on….

Interestingly, some of the pictures posted using Instagram seem to have been deleted. Is this because Instagram are deleting them to help protect users? However this hasn’t stopped the popularity of the account which now has over 4,500 followers and is growing daily.

Enough information is being posted for criminals to attempt to use the card information in ‘card not present’ purchases, which don’t require the CVV or CVC security numbers found on the back of the cards.